Share to your social networks.

Next Gen Tactical Attacks

Hacking has evolved from direct exploitation tomulti-stage tactical attacks. Client side exploitation,application level attacks, complex social engineeringare the threats of the day. Does the conventionalthreat definition work anymore? Are theconventional security solutions geared to face theemerging attacks?

Hacking has evolved from direct exploitation tomulti-stage tactical attacks. Client side exploitation,application level attacks, complex social engineeringare the threats of the day. Does the conventionalthreat definition work anymore? Are theconventional security solutions geared to face theemerging attacks?

Hacking has evolved from direct exploitation tomulti-stage tactical attacks. Client side exploitation,application level attacks, complex social engineeringare the threats of the day. Does the conventionalthreat definition work anymore? Are theconventional security solutions geared to face theemerging attacks?How has hacking changed?Hacking has moved beyondexploitation

With the technological advancements inexisting security measures like firewall, IPS,anti-virus etc., attacker’s approach is alsochanging significantly. As direct exploitationof the network devices, operating systems, andapplications is getting tougher, attackers areincreasingly turning to exploiting employeesand users, finding multi-stage attack paths,attacking client software and attacking richinternet applications. Organizations oftenmiss out vulnerabilities resulting out of this“tactical approach” and live in a false sense of security. Anyone who thinks that securityproducts alone can offer true security is settlingfor the illusion of security.Hacking has ceased to be only about exploits.This is because the vulnerabilities aretransient. A newly discovered vulnerability willbe patched in the next cycle rendering theexploit totally useless. In a typical penetrationtest only one or two real exploits may besuccessfully used. The rest of the time is spentobtaining passwords, abusing trustrelationships, tricking authentication systemsand hijacking services to gain access to moresystems. This is also true for attackers lookingbeyond exploits to gain access and control of confidential information.Attackers are now opportunists: attacking theopportunity of applications, people andprocess for successful break-ins. H D Moore &Valsmith’s paper- "Random Pwning Fun Bag”first gave a good glimpse of the various tacticalapproaches of the current day attacker. Belowwe describe some of those next generationtactical attacks and iViZ’s own experience thatare successfully used to find out unknown andnewer vulnerabilities:Contrary to attacking the vulnerable softwaredirectly, attackers are interested in exploitingthe opportunity of intercepting data inmotion. Attackers are interested in gainingaccess to the data, not in gaining

“Attackers are now opportunists:attacking the opportunity of weak applications, people andprocess for successful break-ins”Attacking Data in Motion

09

administrative privileges. So even though youmight have a very secure system, asophisticated attacker can steal your datawithout attacking your secure system!Traditional attacks involved exploiting theFTP server software. However, in tacticalapproach, attackers focus on the data transfer:the opportunity of actual transfer in process.File transfers attacked in this process could beFTP or NFS which lead to significantconfidential data disclosure. This is also apremium attack vector as most organizations,small or large, use file transfers in some form orthe other.Unencrypted email can be read easily while it ismaking its way to your friend's inbox! A typicalmail system is composed of one or more relaysystems, some form of antivirus / spam filter,the real mail server itself and finally the user’semail client. Traditionally attackers focusedonly on the intermediate systems; however, intactical approach they target the mail clients aswell. For example, in older versions of somemail clients, if two email messages containingthe same attachment name are received, thenewer message can overwrite the previousmessage’s attachment. This can be used toreplace a trusted attachment with a backdoorwithin the user’s mailbox.With moderate security level, most DNSservers are configured to reject zone transfersfrom unauthorized hosts. However, in tacticalapproach, attackers use brute force on possible

File TransfersMail servicesAttacking DNS services“Gaining access to the data intransit may be easier and moreattractive for a hacker ratherthan gaining root privilege”

domains and host names to determinewhether those entries exist. Many DNS serversare mis-configured to allow reverse DNSlookups of private addresses, exposing thenames and addresses of important servers onthe internal network. A successful attack canlead to false DNS records injection into thecache and a potential hijack of internal andexternal domains. Dan Kamisky’s famous andshocking DNS attack is an example of thisattack.Trust is one of the easily exploitable things toattack and leverage in a tactical approach.iViZ, while conducting many penetration testshas found that exploiting trust basedrelationships can offer attackers easy access toeven the most secure systems! An example of tactically exploiting trust based relationship isthe use of custom software meant for systemadministration running in all the computersinside a network with administrativeprivileges. This means that this application istrusted by every computer in the network. Byreverse engineering the software for thehardcoded username and password, attackerscan compromise every host inside the network.Any resource trusted by more than one user orcomputer is a potential leverage point for theattacker.Conventional wisdom suggests that it isimportant to focus on critical assets only. Butthere are severe vulnerabilities in less criticalassets that can be used by attackers as a

launching pad for breaking into the network.As a recent example of a famous securitybreach, a hacker broke into the entire network by using vulnerability in an administrator'sdesktop. Possibilities and combinations of such similar attacks are huge and areimportant to mitigate. Unfortunately, multi-stage attacks are complex and it is beyond thecapacity of human minds to find out allpossible attack paths. Situation gets morecomplex when an attacker breaks into severalsuch less critical hosts and chains attack payload through them before reaching thefinal secure critical server.There are many low threat vulnerabilities inhosts that appear harmless because of their lowseverity rating. However, these often lead tosevere vulnerabilities in a system. Attackers areincreasingly exploiting this opportunity.Security managers focus mostly on eliminatinghigh threat vulnerabilities leaving the lowthreat ones open – falsely assuming that theypose little or no threat at all!Attackers are exploiting client side softwarelike browsers, word processors, documentreaders to gain access to victim's system. Sinceusers are trusted within a network, attackerscan now easily bypass perimeter securitydevices. Browsers and email clients are themost popular targets since they are prevalent in

Client Side Exploitation“What may appear as a benignor low-priority vulnerability ona host may be used as alaunching point for an attackerto penetrate other devices onthe network”

any desktop/laptop. There have been a lot of vulnerability disclosures in IE, Firefox, Opera,Safari, MS word, Adobe, MS outlook etc.ARP poisoning combined with Man-in-theMiddle attacks have long been a knowntechnique for attackers to intercept and stealconfidential information. Tactical approachuses this technique and goes one step beyondby combining it with automatic fake softwareupdates. Attackers can fool users by forcingtheir traffic to pass through a rouge gatewaysetup by ARP poisoning and push malicioussoftware updates from a fake update server. Asan example, when a fake or trojan infectedupdate of “Microsoft word 2007” pops up onthe user’s screen, an unsuspecting user mayinstall the update believing that it is actuallyfrom Microsoft. Every user’s workstation canpotentially be compromised this way.Social engineering hackers exploit the users’credulity, laziness, good manners, or even theirenthusiasm. Therefore it is challenging todefend against socially engineered attacksbecause the targets may not even realize thatthey have been duped, or may prefer not toadmit it to others.Advanced social engineering techniques havesurfaced in recent times combined with clientside attacks, phishing, and systemexploitation. This form of attack is not onlyeffective but also has devastating impact.

“A hacker can send you a link ora file. Opening them couldeasily trigger a trojan downloadon your system in spite of yourfirewall.”ARP poisoning with softwareupdatesSocial Engineering